0

This is all in an AWS VPC environment.

We have an old Ubuntu 12.04 machine running OpenSwan which is managing a pile of VPN connections. This has worked well for us thus far, but 12.04 is no longer supported and OpenSwan is EOL so we want to move to 18.04 and LibreSwan (which we understand should be largely compatible).

My question is what are our options for doing this with minimal downtime and without coordination with the other sides of all these connections?

In theory I could just build the box, copy the configs over and flip the virtual IP at some point, but that sounds.. unlikely to work well without large amounts of downtime.

Ideally I'd like some way of routing only one source to the new box at a time and migrate them a little at a time, testing as I go. But I don't know what routing magic I need to do to make this happen either at the VPC or other level. From what I can tell AWS virtual public IPs can only belong to one machine at a time, so not sure how I would route all the traffic from say one of the other gateways to a new box while keeping the rest on the old one.

One simplification is that all private traffic is staying on this host. IE, we aren't routing traffic THROUGH this box, but rather this box is dealing with all that private traffic internally. So I think that's a simplifier.

Surely I can't be the first to run into this, how are ipsec migrations like this done?

  • 1
    I can't think of any way you can do this migration without downtime. It would be rather short, just a few seconds or minutes at most, but I don't think it's avoidable. – Michael Hampton May 16 '19 at 01:30
  • A few minutes is fine, what I'm concerned about is debugging some tweak that needs to happen in configuration and having to do that with 50+ tunnels at once. IE. if I can migrate one tunnel at a time, then a minute of downtime is a-ok for each as I tweak settings, but having them all down as I fight those configurations wouldn't. – Nicolas Pottier May 16 '19 at 03:06
  • This is the sort of thing that DNS, particularly "different answers per client" DNS, is perfect for. – womble May 16 '19 at 04:08
  • Interesting idea and one we may adopt going forward. Sadly as of now all our peers are pointing to our static AWS virtual IP. – Nicolas Pottier May 16 '19 at 12:53

0 Answers0